Privacy
Surveillance, Security, and the Growing Privacy Backlash
Sweden bans AI driver monitoring, India blocks Telegram, France mandates quantum encryption, and more – a packed privacy landscape.
Sweden Rules Securitas AI Driver Monitoring Unlawful Under GDPR
Sweden’s data protection authority, IMY, ruled on June 16, 2026, that Securitas Sverige AB violated EU privacy law by deploying AI-powered cameras that continuously monitored driver behavior inside patrol vehicles. The cameras analyzed behavior frame by frame against risk profiles for distraction or drowsiness and issued real-time alerts to drivers and management. During part of the pilot, footage was also recorded. IMY found the system constituted a far-reaching intrusion into employee privacy and that Securitas failed to establish any lawful basis under GDPR for the continuous behavioral monitoring. The safety rationale alone was insufficient under Article 6(1)(f), which requires a three-part legitimate interests assessment. Because the pilot was limited and discontinued, IMY issued a reprimand rather than a financial penalty. The ruling applies to any EU employer deploying continuous behavioral AI monitoring without a documented legitimate interests assessment addressing proportionality. The EU AI Act’s full high-risk obligations for such systems take effect August 2, 2026. The review began after workers objected during union negotiations; approximately 50 UPS drivers had also filed complaints, which IMY directed to this leading case. Continuous behavioral analysis throughout a shift has repeatedly failed this test in European DPA rulings, while narrower event-triggered systems with documented assessments have a more defensible position.
GDPR Driver Monitoring Fails Safety Defense: Securitas AI Cameras Ruled Unlawful →
AI Toy Apps for Kids Track Users and Collect Personal Data, Study Finds
Cybernews analyzed 10 Android companion apps for children’s AI and robotic toys, including Loona, Dash & Dot, Sphero, mBlock, and Miko, and found that half of all declared permissions are considered dangerous by Android guidelines. Third-party trackers were identified in seven of the ten applications, including two advertising trackers, two profiling trackers, and one location tracker. All ten apps required precise location access for Bluetooth Low Energy searches; six required microphone access, five required camera access, and eight required Bluetooth scanning. Two apps had advertising and profiling trackers, and Loona also contained a location tracker. Researchers emphasized that data minimization is essential for children’s apps, as children are less likely to understand data collection and privacy implications. The FTC’s Children’s Online Privacy Protection Rule updates under former chair Lina M. Khan limited data retention and required opt-in consent for targeted advertising to children, but enforcement remains a challenge.
Experts warns AI toy apps for kids are tracking users and collecting personal data →
France Sets 2027 Deadline for Quantum-Resistant Encryption in Certified Products
France’s cybersecurity agency ANSSI will stop certifying security products that lack quantum-resistant encryption starting in 2027, Samih Soussi announced at the France Quantum conference. By 2030, businesses should purchase quantum-safe products. ANSSI certification is mandatory for operators of government and critical infrastructure, forcing older systems to transition. The move addresses the looming Q-day when quantum computers can break current encryption protecting bank transactions, medical records, and government communications. Soussi highlighted harvest-now-decrypt-later attacks, where encrypted data is collected now for future decryption. Experts like Henry Yuen of Columbia University and Bill Fefferman called the timeline timely, noting that post-quantum cryptographic schemes have received far less scrutiny and involve performance tradeoffs. IBM Quantum’s Jerry Chow said quantum threats could emerge by the mid-2030s. France has a national quantum plan valued at approximately $3.5 billion and is part of the G7 Cybersecurity Working Group, which released a statement on quantum security last month. Companies face a dual compliance burden in auditing products and securing data to meet ANSSI’s requirements.
The Quantum Threat to Encryption Is Coming. France Just Set a 2027 Deadline →
Europol Maintained Secret Shadow Database, Brussels Now Proposes Doubling Budget and Expanding Powers
An investigation in May 2025 revealed that Europol operated a secret shadow IT environment parallel to its official databases, which at one point held over 95 percent of the data the agency had collected and was 420 times larger than its official databases. The parallel database operated outside Europol’s legal framework with limited oversight and no compliance with basic IT security and data protection norms. Its existence was concealed until an inquiry by the European Data Protection Supervisor in 2019. After being admonished, Europol faced no repercussions; in 2022, the EU rewrote the law to legalize the practices. On June 24, 2025, the European Commission is expected to propose overhauling Europol’s mandate, more than doubling its annual budget to €444 million by 2034, removing remaining data protection safeguards, weakening EDPS oversight, and extending the scope of crimes. Europol processes data on political activities, travel passengers, and non-EU nationals, and engages in extensive data exchange. Consequences for affected individuals include restrictions on free movement, bank account freezes, increased surveillance, and risk of arrest. Europol also contributes to criminalizing social movements, as seen in its 2023 Terrorism Situation and Trend Report, which associated legitimate protest tactics with terrorism.
Europol is going rogue – so Brussels is doubling its budget?? →
Singaporean Brothers Develop Encryption Based on Unsolvable Math Equations
Lim Meng Liang, 38, and his older brother Ken Lin, 45, founded Aires Applied Quantum Technology in 2023 to commercialize encryption based on Diophantine equations, notoriously complex mathematical problems with no solutions. Lim secured his first US patent in 2022 for methods exploiting these equations to encrypt data. Aires has raised over US$2 million from private investors and local agencies and is seeking to list in US, Singapore, or Japan markets to raise an eight-digit figure. Its flagship product LionGuard is a mobile app that encrypts files on devices, cloud, or networks, with a monthly subscription of $388 per user. The app is in beta with over 100 subscribers, including enterprise customers in oil and gas, commodities trading, and banking. Lin stated that a standard computer may take 1,000 years to crack current encryption, but a quantum computer could do it in two days, whereas Diophantine-based encryption is practically impossible for quantum computers to solve. Aires holds four international patents, including for encrypting 2D codes such as barcodes and QR codes, being piloted in Europe for payment, logistics, and supply-chain authentication.
Singaporean brothers use unsolvable maths equations to build modern, unbreakable encryption →
India’s Telegram Ban Upheld by Court, Threatening Encrypted Apps
India’s Delhi High Court ruled Friday that the government can ban an entire messaging platform under emergency powers in Section 69A of the Information Technology Act, dismissing Telegram’s challenge to a nationwide block affecting over 150 million Indian users since mid-June. The ban was imposed before the NEET-UG 2026 medical entrance re-examination after criminal networks used Telegram channels to defraud approximately 1,500 medical school aspirants out of a combined ₹1.5 crore by selling fabricated paper leaks. The court held that Telegram’s architecture made targeted enforcement structurally impossible, as removed channels can reappear under new names in minutes. Justice Tejas Karia ruled that the government was empowered to block Telegram and that the test of proportionality was satisfied. The court also upheld a separate order requiring Telegram to disable its message-editing feature for all Indian users through June 30. The Internet Freedom Foundation called the ban disproportionate and constitutionally incompatible. Telegram CEO Pavel Durov accused an entity associated with Reliance of extending the ban via BGP hijacking, affecting users outside India; Reliance Jio denied involvement. The ban is set to expire June 22, while the message-editing order runs through June 30. The ruling has implications for other encrypted platforms like Signal and WhatsApp, which share similar structural features.
India’s Telegram Ban Upheld by Court, Putting 150 Million Users and Every Encrypted App at Risk →
Canadians Have Days Left to Claim Up to $500 in LastPass Data Breach Settlement
Eligible Canadians affected by the 2022 LastPass data breach can file a claim for a share of a US$3 million court-approved settlement (approximately C$4.2 million) by the deadline of 11:59 p.m. PT on June 23, 2026. The breach involved a threat actor using credentials stolen from a senior employee to access user information. A class-action lawsuit was brought in the Supreme Court of British Columbia alleging negligence, failure to protect personal information, and inadequate breach communication. The settlement was approved on February 18 and covers legal fees and expenses. Three claim types are available: wasted time (up to five hours at C$34.01 per hour, total C$170.05), out-of-pocket expenses up to C$500 with proof, and crypto assets allegedly lost. Claimants must submit personal information and supporting documents via the LastPass class-action website. The settlement is not an admission of liability; the defendants deny all allegations.
Canadians have days left to claim up to $500 in $4M data breach settlement →
Canada’s Bill C-22 and C-34 Raise Alarm Over Online Surveillance and Encryption
Prime Minister Mark Carney’s government is advancing Bill C-22, the Lawful Access Act, and Bill C-34, which critics describe as building an online surveillance state. Bill C-22 could effectively ban VPNs and break encryption; after fast-tracking, the House of Commons narrowed the bill so providers cannot be forced to store browsing data or the substance of content, and the maximum data retention order is six months. The bill states providers do not have to break encryption if it would introduce a systemic vulnerability, but critics argue the definition is narrow. The bill also allows the public safety minister to issue secret orders compelling service providers to reveal personal data without notifying the target. Bill C-34 proposes age-verification mechanisms for websites with social components or AI chatbots, requiring collection of more information on users and raising privacy concerns. Several MPs, cybersecurity experts, the Canadian Chamber of Commerce, Apple, Meta, Signal, NordVPN, and U.S. Congressional leaders have warned against the bills. The government is rushing them through Parliament with a majority.
NP View: Mark Carney’s online surveillance state →
Anthropic’s Updated Privacy Policy Adds Biometric Verification and Expanded Data Sharing
Anthropic published an updated privacy policy on June 8, 2026, effective July 8, 2026, introducing biometric identity verification for consumer accounts on Claude Free, Pro, and Max plans. The Verification Data section allows Anthropic to collect images of government-issued IDs, photos or videos of faces, and facial geometry templates, which may be considered biometric data in some jurisdictions. The verification is operated by third-party KYC provider Persona Identities. The policy also expands third-party data sharing rules for agentic sessions, where Claude may send inputs, outputs, and instructions to third-party services, and users must review each third-party’s privacy policy. A new category called Study Participation Data covers responses to research studies. The policy retains a 30-day back-end deletion window for individual conversations and adds de-identification techniques. The changes do not apply to Claude Team, Enterprise, or Platform accounts. Anthropic’s European data controller is in Dublin; users outside the European Region deal with Anthropic PBC in San Francisco. The policy lists legal bases including vital interests, which is typically reserved for life-or-death situations, without explanation.
Anthropic’s new privacy policy adds biometric checks to Claude accounts →
Council of Europe Data Breach: ShinyHunters Publishes 297 GB of Employee Records
ShinyHunters published 297 gigabytes of Council of Europe employee data after the intergovernmental body failed to meet a June 16 ransom deadline. The criminal group then announced it will make all stolen files permanently available through mirrors and torrent downloads, removing the possibility of forced takedown. The breach exploited CVE-2026-35273, a critical zero-day vulnerability in Oracle PeopleSoft’s Environment Management Hub with a CVSS score of 9.8. More than 100 organizations were exploited before Oracle issued any advisory. The exfiltrated dataset covers 15 years of records for over 10,000 current and former employees, including bank account details, medical records, salary histories, social security data, payslips, CVs, and personnel files. ShinyHunters operates a pay-or-leak model without ransomware encryption. The FBI advises against paying ransom. The group has transformed into a cybercrime brand surviving arrests and infrastructure seizures; it has claimed over 40 breaches in 2026 alone. The Council of Europe has not announced a formal notification plan for affected individuals.
Council of Europe Data Breach: ShinyHunters Makes 10,000 Employees’ Records Permanent →
Vermont Bans AI-Only Therapy and Tightens Data Broker Regulations
Vermont Governor Phil Scott signed two pieces of legislation in June 2026. Act 156, signed June 17, prohibits corporations and entities from providing mental health services independently through AI systems. It defines AI and mental health services broadly, but does not prohibit licensed professionals from using HIPAA-compliant AI tools within their scope of practice, provided the professional reviews and approves services. FDA-authorized software-based medical products remain usable if prescribed by a licensed professional. Violations are enforceable under Vermont’s Consumer Protection Act and constitute unprofessional conduct for licensed mental health professionals. The Vermont Artificial Intelligence Advisory Council must report on AI regulation in mental health by January 15, 2027. Act 138, signed June 16, overhauls Vermont’s data broker registration framework, raising the annual registration fee from $100 to $900 effective January 1, 2027. It requires data brokers to disclose whether they share data with GenAI developers, collect precise geolocation (within 1,850 feet), and report on sensitive categories including reproductive health, biometric data, immigration status, and sexual orientation. Brokers also must report data sharing with foreign actors, government, and law enforcement. The Secretary of State must study a universal deletion mechanism. The act also adds educational technology registration requirements for providers serving Vermont schools.
Vermont bans AI-only therapy and tightens data broker rules →
ChatGPT Can Now Read Your Bank Statements: New Finance Feature Raises Privacy Questions
On May 15, 2026, OpenAI released a preview of a personal finance feature inside ChatGPT for Pro subscribers in the United States. The feature supports over 12,000 financial institutions through Plaid and uses GPT-5.5 Thinking as the default model. Users can link accounts to sync and categorize transaction data, view portfolio performance, spending patterns, and upcoming payments. ChatGPT can answer questions across multiple accounts, but cannot see full account numbers or execute transactions. OpenAI developed an internal finance benchmark where GPT-5.5 Pro scored 82.5 out of 100. Intuit is a forthcoming integration. The feature defaults to GPT-5.5 Thinking, and Pro subscribers also have access to GPT-5.5 Pro. Disconnecting an account removes it immediately from the Finances page, but synced data is deleted within 30 days. OpenAI’s advertising pilot currently excludes financial services advertisers, but if this changes, the combination of bank-linked spending data and personal finance context could create powerful audience profiling. The feature arrives as AI platforms converge on personal data as a differentiator, and as Florida’s lawsuit against OpenAI cites collection of health, financial, relationship, and location data. Over 200 million people per month already use ChatGPT for budgeting and investment questions, and this feature aims to ground responses in real account data.
ChatGPT can read your bank statements now - here’s what it knows →
📡 From social media
Anthropic Now Requires Government ID Verification for Some Claude Capabilities
Anthropic has begun requiring identity verification using a government photo ID before unlocking certain Claude capabilities. The verification is conducted through Persona, a company in Peter Thiel’s portfolio. Persona’s own source code was reportedly left on a public server, accessible for download. OpenAI also uses Persona for similar purposes. The White House switched off Anthropic’s most capable models for all non-US citizens, a move triggered by Amazon, which has committed up to $33 billion to Anthropic. The ID verification requirement adds a new layer of data collection for users seeking full access to Claude.